On Cross-Site Scripting, Fallback Authentication and Privacy in Web Applications Ashar Javed (Place of birth: Bahawalpur (Pakistan)) [email protected] 13th November 2015 Ruhr-University Bochum Horst G¨ortzInstitute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum Submission Date: 09-04-2015 Oral Exam Date: 08-07-2015 First Supervisor: Prof. Dr. rer. nat. J¨orgSchwenk Second Supervisor: Prof. Dr. rer. nat. Joachim Posegga www.nds.rub.de Contents 1 Introduction 15 1.1 Cross-Site Scripting ......................... 15 1.1.1 Facts and Figures ...................... 15 1.2 Account Recovery .......................... 16 1.2.1 Facts and Figures ...................... 16 1.3 Third-Party Tracking......................... 17 1.4 Motivation .............................. 17 1.5 Organization of Thesis........................ 18 2 Fundamentals 21 2.1 Web Application ........................... 21 2.2 Hypertext Transfer Protocol (HTTP) ............... 21 2.2.1 Types of an HTTP Requests ................ 24 2.3 Uniform Resource Locator (URL).................. 24 2.4 Same-Origin Policy.......................... 26 2.4.1 Same-Origin Policy for JavaScript By Example . 26 2.5 Content Injection Attack....................... 27 2.6 Cross-Site Scripting ......................... 28 2.6.1 Reflected XSS......................... 29 2.6.2 Stored XSS.......................... 31 2.6.3 Self-XSS............................ 32 2.7 Cookie Theft ............................. 32 2.7.1 XSS Exploitation | Exemplified at Cookie Theft . 33 2.8 Common XSS Mitigation Approaches ............... 34 2.8.1 Input Filtering........................ 35 2.8.2 Output Encoding....................... 36 2.8.3 Security Policy........................ 37 2.9 Fallback Authentication....................... 38 2.10 Privacy ................................ 40 2.10.1 HTTP Cookies........................ 40 2.10.2 Online Advertising...................... 41 3 XSS and Mobile Web Applications 43 3.1 Introduction.............................. 45 3.2 Case Studies ............................. 45 3.2.1 Example 1: The New York Times.............. 45 3.2.2 Example 2: StatCounter................... 46 3.3 Survey................................. 49 3 3.3.1 Methodology of Testing Websites.............. 50 3.3.2 Ethical Considerations.................... 50 3.3.3 HTML Usage on Mobile Sites................ 51 3.3.4 JavaScript Usage on Mobile Sites.............. 51 3.4 Overview of XSS Filtering Approach................ 51 3.4.1 Regular Expressions..................... 52 3.4.2 Black-list Approach ..................... 52 3.4.3 Community-Input ...................... 52 3.4.4 Threat Model......................... 53 3.4.5 Limitations of Regular Expressions Used in Wassermann et al.'s stop xss function.................. 53 3.5 XSS Filter............................... 56 3.5.1 Category 1 Improvements.................. 56 3.5.2 Category 2 Improvements.................. 57 3.5.3 Category 3 Improvements.................. 58 3.5.4 Miscellaneous Additions................... 58 3.5.5 Limitations.......................... 58 3.6 Implementation and Testing..................... 59 3.6.1 Implementation........................ 59 3.6.2 Testing ............................ 59 3.7 Evaluation............................... 60 3.7.1 Evaluation in Terms of Time and Memory......... 60 3.7.2 Execution Time of XSS Filter JavaScript Function . 61 3.7.3 False Positives Evaluation.................. 61 3.7.4 Adoption ........................... 64 3.8 Related Work............................. 65 3.9 Comparison to Other Approaches.................. 65 3.10 Conclusion .............................. 66 3.11 Acknowledgements.......................... 66 4 XSS and PHP 67 4.1 Abstract................................ 68 4.2 Introduction.............................. 69 4.2.1 Markup Injection and Cross-Site-Scripting (XSS) . 69 4.2.2 Context-aware Encoding and CFC Characters . 70 4.2.3 False Positives ........................ 71 4.2.4 Bypasses ........................... 71 4.2.5 Systematic CFC-based Approach.............. 72 4.2.6 Prefix Enforcement...................... 73 4.2.7 Applications of the Methodology.............. 73 4.2.8 Contribution ......................... 74 4.3 Background.............................. 74 4.3.1 JavaScript Embeddings ................... 74 4.3.2 Contexts for Reflecting User-provided Input . 75 4.3.3 PHP|Hypertext Preprocessor ............... 75 4.3.4 Whitebox testing of PHP based mitigations . 76 4.4 Formal Model............................. 76 4 4.4.1 Parser Model......................... 77 4.4.2 Prefix Enforcement...................... 78 4.5 Determining the CFC Sets of Different Contexts ......... 78 4.5.1 HTML context........................ 79 4.5.2 Attribute context....................... 79 4.5.3 Script context......................... 80 4.5.4 Style context ......................... 81 4.5.5 URI context.......................... 82 4.6 XSS Attack Methodology ...................... 82 4.6.1 Basic Setup.......................... 82 4.6.2 HTML Context........................ 83 4.6.3 Attribute Context ...................... 84 4.6.4 URI Context ......................... 85 4.6.5 Script Context ........................ 87 4.6.6 Style Context......................... 88 4.7 Evaluation Results.......................... 89 4.7.1 PHP's Built-In Functions .................. 89 4.7.2 Customized Solutions .................... 90 4.7.3 Web Frameworks....................... 93 4.8 Alexa Top 10 × 10 Sites ....................... 98 4.9 Novel Context-Aware XSS Sanitizer ................ 98 4.9.1 HTML Context Filter .................... 99 4.9.2 Attribute Context Filter................... 99 4.9.3 Script Context Filter.....................100 4.9.4 Style Context Filter .....................100 4.9.5 URL Context Filter .....................101 4.9.6 Community Feedback ....................102 4.9.7 False Positives ........................102 4.9.8 Adoption ...........................102 4.10 Related Work.............................103 4.11 Conclusion and Future Work ....................105 5 XSS and WYSIWYG Editors 107 5.1 Introduction..............................107 5.2 How WYSIWYG Editors Work? . 111 5.3 Methodology .............................112 5.3.1 Testing Methodology.....................112 5.3.2 Attack Methodology.....................112 5.4 Evaluation of Attack Methodology . 115 5.4.1 XSS in Twitter Translation Forum's WYSIWYG editor 115 5.4.2 XSSes in TinyMCE's WYSIWYG editor . 117 5.4.3 XSSes in Froala's WYSIWYG editor . 117 5.5 Statistical Evaluation ........................118 5.6 Practical and Low Cost Countermeasures . 119 5.6.1 HttpOnly Cookies ......................119 5.6.2 Iframe's \sandbox"......................119 5.6.3 Content Security Policy ...................119 5 5.6.4 Guidelines for Developers of WYSIWYG editors . 120 5.7 Conclusion ..............................120 6 A Policy Language 121 6.1 Introduction..............................122 6.1.1 Related Work.........................123 6.1.2 Design Goals .........................128 6.1.3 Our Approach ........................128 6.1.4 Contributions.........................130 6.1.5 Running Example ......................130 6.2 SIACHEN Policy Language .....................131 6.2.1 Syntax.............................132 6.2.2 SIACHEN's Directives....................132 6.3 Implementation............................136 6.3.1 Technical Details.......................136 6.3.2 ECMAScript's Object Freezing Functions . 137 6.3.3 XSS Filter...........................138 6.3.4 Output Encoding.......................138 6.3.5 Protection Against XSS Attack Variants . 139 6.3.6 The script-nonce & Firefox Browser's Modification . 140 6.4 Evaluation...............................141 6.4.1 General Methodology ....................141 6.5 Testing ................................143 6.6 Survey.................................144 6.6.1 Prevalence of XSS ......................144 6.6.2 Identification of Potential SIACHEN Venues . 144 6.7 Limitations of SIACHEN and Future Work . 146 6.8 Conclusion ..............................146 7 Fallback Authentication 147 7.1 Introduction..............................147 7.1.1 Related Work.........................148 7.2 Facebook Trusted Friends......................150 7.2.1 Invoking Trusted Friends ..................151 7.2.2 Trusted Friends Authentication . 151 7.2.3 Trusted Contacts.......................152 7.3 Trusted Friend Attack........................152 7.3.1 Recovery Flow of an Attacker . 152 7.3.2 POST Data Manipulation..................153 7.3.3 URL Manipulation......................154 7.3.4 Applicability .........................155 7.3.5 Chained Trusted Friends Attack . 155 7.4 Facebook Security Measures and Bypasses . 155 7.4.1 Security Alert via Email or Mobile SMS . 155 7.4.2 24 Hour Locked-out Period . 156 7.4.3 Temporarily Locked .....................156 7.5 Other Means of Fallback Authentication . 157 6 7.5.1 Recovery by Email to a Support Team . 157 7.5.2 Recovery by SMS.......................157 7.5.3 Recovery by Answering Security Questions . 157 7.6 Conclusion ..............................158 7.7 Acknowledgments...........................158 8 Trusted Third-Party Cookie 159 8.1 Introduction..............................159 8.1.1 Cookies ............................161 8.1.2 Online Advertising......................161 8.1.3 Contributions.........................161